The present invention is directed to call-switching equipment for telephone networks and in particular to devices for curbing abuse of direct-inward-access systems.
The combination of electronic, stored-program telephone switching systems with discounted bulk toll offerings gives rise to a feature that provides a convenient way to reduce telecommunications costs. In accordance with this feature, an authorized person at remote location can place a call to a xe2x80x9chome officexe2x80x9d private branch exchange (PBX), receive dial tone from the PBX, and place an outgoing call just as if he were calling from his office.
The industry uses the acronyms RSA (Remote Service Access) and DISA (Direct Inward Service Access) interchangeably to refer to this feature, to which we refer herein as DISA. DISA features are currently available primarily in conjunction with PBX systems, and we will accordingly refer to PBX systems for the purpose of concreteness. However, DISA-like features are also available to users of certain central-office-based services, and it will become apparent that the invention to be described below is applicable to these types of arrangements, too, as well as to a host of non-voice-based services, including but not limited to data networks and modem pools. The invention is equally powerful in providing protection of sensitive internal destinations, such as the maintenance ports of communications and computer systems.
DISA offers both cost and administrative advantages. If the firm that owns the PBX subscribes to bulk-rate toll services, such as WATS, placing a call through remote service access can reduce the cost of the call. For example, an employee whose home office is in Seattle but who has traveled to San Diego may want to call a customer in Fort Lauderdale. If he uses his telephone-company calling card, a ten-minute call at ATandT daytime rates may cost around $3.00. In contrast, his company may pay around $0.09 a minute on the average for both incoming and outgoing bulk services, so if the employee places the call instead to his Seattle office, which then switches it to the customer in Fort Lauderdale, the cost may be only about $1.80.
Moreover, the company""s call-accounting system can thereby keep track of such calls automatically, relieving the company""s accounting department of the need to allocate telephone costs manually among its various departments. In certain circumstances, it also provides a tool for measuring the performance of personnel whose jobs involve high levels of telephone activity.
Unfortunately, unscrupulous people can sometimes discover the passwords by which the DISA systems"" owners attempt to restrict access to their facilities. Indeed, such occurrences have happened frequently, some of them resulting in large losses to the company that has availed itself of the DISA feature. In like manner, loss and system damage have resulted from fraudulent abuse of voice mail and massaging systems, to which the application of the invention is equally applicable.
Responses to this problem have been various. Some users have simply discontinued the DISA feature because of the risk of significant loss. Others have reconfigured to disable its use for calls to destination area codes known to be favorites of xe2x80x9chackers,xe2x80x9d and they may also monitor telephone traffic so as to identify unusual activity.
Of course, discontinuing the DISA service does eliminate the problem, but it also eliminates the savings that ordinarily result from DISA-service use. The other approaches can be fairly effective in general, but they lack flexibility, require excessive attention from the telecommunications manager or both
The present invention is a method and apparatus for reducing the vulnerability of the telecommunications system to unauthorized use that is easy to implement and that can reduce the instances of unauthorized access even during periods when telecommunications personnel are not able to give attention to the traffic on the system.
In accordance with the invention, the telecommunications system collects statistics of each user""s pattern of telecommunications usage. Typically, these statistics will be in the form of, say, the average number of calls per day or the average number of calls per day on given days of the week. It may also include the mean busy hour for the given days of the week. Moreover, daily averages may be taken not only for all calls but also for all calls of a particular type, e.g., of all international calls.
These statistics are taken for a reference period, such as the preceding thirty days, and the corresponding quantity for the current day is also computed. If the current statistics are not excessive as compared with the reference statistics, then access to a communications resourcexe2x80x94e.g., an outgoing trunk linexe2x80x94is granted to the call without any supplemental access restrictions. But if a predetermined deviation is detected between the current statistics and the reference statistics, then a supplemental restriction is placed upon the call.
For instance, the caller might be required to say his name before the connection is made, he might be transferred to a human operator for verification of access, or the requested connection may simply be denied. Additionally, the system would typically give the system administrator some kind of an alerting message to indicate that abnormal usage is occurring.
With this type of system, the restrictions are imposed, in some sense, in xe2x80x9creal timexe2x80x9d; there is ordinarily no need for a human administrator to take initiative to impose the restrictions or, even to analyze records for unusual activity.
In accordance with one aspect of the invention, moreover, the invention can be practiced in a way that makes it very easy for the administrator to implement. Specifically, apparatus for practicing the invention can be provided in the form of circuitry that is simply connected to one of the communications system""s ordinary lines. In the case of a PBX, that line would be one of the PBX""s internal extensions. The PBX is then simply configured so that it connects the DISA trunk line or lines to that extension whenever an incoming call comes over that DISA line. The access-control circuit at that extension takes the call, checks for the user""s identifier and password, requests the number of the called party, and, if the above-mentioned statistical requirements are met, simply sends the conventional transfer signal, e.g., a hook flash, to the PBX to obtain (typically) an outgoing trunk and delivers to the PBX the destination indicated by the incoming call. The PBX then makes the necessary connections in the conventional manner, and the access-control circuit is free to handle the next DISA call.
Clearly, such an arrangement is simple to implement, since it requires only that the access-control circuit be connected to an extension and that the PBX undergo the minor reconfiguration required to direct DISA calls to that extension.